Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 16, 2026

AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import

CVE-2026-32719

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

Affected products

Mintplex Labs/Anything LLMv5
Range: <= 1.11.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8cmitrex_refsource_MISC
github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000